"Your account is locked" msg after Big Sur upgrade

If you have another admin account to login, please refer all steps

• login with admin account
• delete user (swapnilt) with "Don't change the home folder"
• Note - All data remains in "swapnilt (Deleted)" folder

• connect company network
• login with same id (swapnilt) and create mobile account
• run sudo dsconfigad -passinterval 0
• logout
• login with admin account again
• delete new user profile created under /users/swapnilt
• revert old deleted directory name from "swapnilt (Deleted)" to "swapnilt"

We have resolved 20+ systems till now, please let me know if any other shortcut

I had this issue previously too, but literally a few minutes ago I had resolved it:

Based on this article (https://support.apple.com/en-ca/guide/directory-utility/ior6d33c187e/mac), the password needs to be updated in 3 different places. Re-joining the laptop to domain and purging the keychain did not help, but this did it.

• connect to the domain (ethernet cable preferred)
• go to System Preferences > Users & Groups > click on "Change Password" for the domain account (the affected user profile) > change your password
• verify the password is updated somehow -- "net user THEUSERNAME /domain" in Command Prompt -- or just wait a couple of minutes for the change to sync to AD
• disconnect from the domain (go offline with no WiFi connection)
• try logging back in with the newly changed password

I'm interested to see if the user profile will break in future Big Sur upgrades though. We'll see.

I also posted in this thread, which I'll update: https://discussions.apple.com/thread/252113371

Hello,

If we understand correctly, you upgraded macOS and now you cannot log in because it is not accepting the password. We would recommend you use this article to help troubleshoot the issue.

Change or reset the password of a macOS user account

Please don't hesitate to let us know if the steps resolved your issue or if you need additional assistance.

Thank you for using Apple Support Communities. Have a good one.

This worked great for me but for those of you who try it, it's a workaround and not a solution. In reference to Apple's Directory Utility Support Site, setting passinterval to 0 will disable automatically changing the mobile user's account password to match AD's. When the user changes their domain account password, they will need to go into their keychain and change it to match the new one in AD.

1. Yes, Admin account and VPN connecton is required if you are working from home. Even user password is required to create new account.
2. Rename user profile from /Users/username to /Users/usernameX
3. delete user account from SystemPref > Users& Groups
4. Run below commands using terminal
5. sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n username
6. dscacheutil -q user -a name username
7. sudo dsconfigad -passinterval 0
8. Login
9. Enter user
10. Password
11. this will create new user account
12. after this we need to restore user profile
13. /Users/username to /Users/username_Del
14. & then /Users/usernameX to /Users/username

1. Yes, Admin account and VPN connecton is required if you are working from home. Even user password is required to create new account.
2. Rename user profile from /Users/username to /Users/usernameX
3. delete user account from SystemPref > Users& Groups
4. Run below commands using terminal
5. sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n username
6. dscacheutil -q user -a name username
7. sudo dsconfigad -passinterval 0
8. Login
9. Enter user
10. Password
11. this will create new user account
12. after this we need to restore user profile
13. /Users/username to /Users/username_Del
14. & then /Users/usernameX to /Users/username

Login with admin account, connect VPN

Rename user profile to aduser1X

Delete user from Preferences

• sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n aduser1

Enter superadmin password

enter username as superadmin

Enter superadmin password

• dscacheutil -q user -a name pragyatripathi
• Login

Enter aduser1

Enter Password

provide admin access temp and run below command

• sudo dsconfigad -passinterval 0

Remove admin access

rename aduser1 to aduser1Y

rename aduser1X to aduser1

And restart computer to login

here, superadmin = admin account , aduser1 = user account

Sorry to @godihateitunes for hijacking the thread, but no that doesn't work for me. I am using a directory-enabled account that I can only talk to when VPN'd in, and I get "Authentication server could not be contacted" because I'm not VPN'd in while attempting a rescue.

that is interesting and good to know, thank you. "mobile" accounts are accounts that are using a directory, i.e. Active Directory enabled, so that tracks what i'm seeing. biggest problem i have is that i cannot travel to my company to plug in, as i'm in a different country and there are travel restrictions in these odd days, so I have little recourse at this point. It would be good to have an option to fix this... How about it Apple?

@gatorboots, do you have a local account you can log into? If so, I have found that I can log into the local account, launch the vpn and connect, switch accounts while on the vpn, and log into the mobile domain account. At that point, I have to log back into the VPN but on my mobile domain account desktop. And this is still an ongoing issue for me. Haven't figured out a real fix after a bunch of troubleshooting.

Thanks for that... i have tried it, but our VPN client disconnects when you change users, so we can't do that. We have, however, used a local account, connected VPN and then did an AD sync which should sync all user info, but that still doesn't work. I've ended up not using my directory account any more.

Thanks, @Apple...

Hi Swapnil,

just to be clear, did you verify via on Prem or Azure AD that the user was actually locked?

Did your user just stop complaining, otherwise, how did you determine the issue was truly resolved?

This is still an ongoing issue, not resolved by Apple. Mobile Domain accounts are locked out the moment the network connection is broke. I have been able to personally work around it by connecting to the network over VPN from a local account, then switching to the cached Mobile account and logging in. But that is not working for 2 other users having the same issue here.

Hi Swap,

this is nice but proved unworkable as after "delete user account" (in Users and Groups panel) in our environment, this requires the user's password - which we know doesnt work (or else they wouldn't be locked out). So the dialog pre-populates the user's name in the username field, instead of allowing any admin user to type it in. So - I was unable to try the rest of your method...if you elevate to root, root also cannot delete the user account! This is the worst OS upgrade Ive ever experienced - so many bugs